Geo-location and IP range restriction for Nimble Streamer

Many media streamers want to limit their media by geographical location or sub-network. As a media server, Nimble Streamer is used as part of infrastructures where this limitation is crucial. That's why it's now available in our feature set. If you haven't installed Nimble Streamer yet, you need to follow this simple installation procedure.

Nimble and WMSPanel can set up the following behavior:

• Define allow and deny lists for countries access.
• Set up separate IP ranges to include in allow/deny list.

The workflow is simple - when the viewer connects to Nimble, the server checks if viewer's country is in deny list or is limited by other IP-based condition. If it's allowed to connect, then connection is established.

Nimble Streamer geo-location restriction.

This is provided as part of WMSAuth feature set.

1. Geo-location base update

Nimble uses MaxMind GeoIP database to map IPs to countries. Nimble Streamer instance automatically updates geo-location database. Nimble will be checking the geo base once a day and updating it right away.

Click on Control -> WMSAuth paywall setup top menu to start the setup process.

2. WMSAuth group

In WMSAuth, every restriction may be applied to a group of servers. So the first thing to do is to create a group and assign one or more Nimble servers to it. Check the screenshot below for details.

You can create any number of groups and assign each server into any of them. Of course you can add multiple servers into each group.

3. WMSAuth rule

Within a group, there may be several rules, each working with its set of streaming entities. Just click on "Add rule" to enter rule creation page. 

First you enter rule name and then go to section called "What do you want to restrict". Check the screenshot to see where you can specify application or stream name regular expression. Since we use the same interface for controlling Wowza and Nimble WMSAuth, you can see application instance as well - you should skip it for Nimble.
E.g. for stream named http://192.168.1.1/live_stream/test/playlist.m3u8 you can specify "Applicaiton" as "live_stream" and "Stream" as "test". If you want to block al streams under "live" application, you can fill "Application" only, as shown on the screenshot.
The Virtual host is used for specifying the domain name which is used for accessing media.

Specifying application or stream to be protected against hotlinking.

Now scroll down to Geo and IP-based restrictions section.

Allow and deny lists for geo-location and IP ranges.

Here you can add countries or pre-defined ranges to either allow or deny list.

Deny rules have top priority over allow rules. If you need the opposite, just click on "Allow list has priority over Deny list" checkbox.

IP ranges access is the next thing you may control over our panel. You can define a named set of IP addresses which may be used in allow/deny lists. Go to "Manage custom IP ranges" page and add one or more range in CIDR notation. The ranges which you define will be used across all WMSAuth groups with the name which you define during it creation or edit.

CIDR is used for entering IP ranges.

Having IP range ready you may use them for allow and deny lists.

After you save the rule, it will be applied to the server within a few seconds. Now when the rule is enabled, the media is restricted properly.

Custom HTTP return codes

By default Nimble Streamer returns 403 response code if a viewer is not allowed to view the stream via HTTP protocol. If you want to return some other code, use wmsauth_geo_deny_error_code and wmsauth_ip_range_deny_error_code config parameters to define it for geo-location and IP range restriction respectively responses respectively, like this:

wmsauth_geo_deny_error_code = 451
wmsauth_ip_range_deny_error_code = 451

Read this article to learn more about changing Nimble Streamer configuration file.

FAQs

Q: How do I allow my stream for just one country and forbid for all others?

Say you need people from Antigua and Barbuda watch your live broadcast and hide it from all other countries. Then just add the country to allow list, then scroll down to re-publishing protection, check all protocols and enter any non-zero length password. So if someone comes from Antigua, he (or she) will pass the check for allow list and will be allowed to watch the stream. Any guy from, say, Jamaica, will pass the check for country (as Jamaica is neither in allow or deny list) but will fail the check for re-publishing protection.

Q: What if WMSPanel becomes inaccessible due to network failure?

No problem, Nimble will still be able to work. All settings are stored on Nimble server side, so the restrictions will apply without interruptions and your assets will be protected regardless of WMSPanel accessibility.

Other features

You may authorize playback without stream signature using external handler application. In this case you will be able to use your own geo-location restriction engine. You can read this article for more details.

You can block viewers by HTTP User-Agent header in addition to geo-location block as well as block them by HTTP Referer header.

Geo limitation may work fine with Pay-per-view for Nimble Streamer which allows creating custom workflow based on detailed streaming real-time information to your own handler.

Nimble Streamer is capable of several other features which are described on the Nimble Streamer website. If you want to know how to integrate this feature set into your workflow or you have any questions, feel free to contact us.

Related documentation

Nimble Streamer, Paywall for Nimble Streamer and Wowza, Hotlinking protection with stream-based signature, Adding Dispersa server IP range to allow list, Block viewers by HTTP User-Agent header, Block viewers by HTTP Referer header

This product includes GeoLite data created by MaxMind(c), available from http://www.maxmind.com